Electronic Health Record Security Concerns Are Global

By Robert Charette

Posted 26 Sep 2011 | 13:53 GMT

As I mentioned in a recent post, nearly half of Australians may end up boycotting the new voluntary electronic health record (EHR) system when it launches next year because they believe the government can't provide guarantees that their private medical details will remain private. A new Harris survey sponsored by the identity management company Sailpoint highlights EHR privacy concerns not only in Australia, but also in the United Kingdom and the United States.

According to the survey findings, some 83 percent of Australians, 81 percent of Britons, and 80 percent of Americans express some level of concern about moving their personal medical information to an electronic form.

When they were asked about a health care organization managing their personal information electronically, the survey respondents indicated that they are most concerned about:

Their identities being stolen—37 percent of Australians, 33 percent of Britons, and 35 percent of Americans

Personal info exposed on the Internet—30 percent of Australians, 26 percent of Britons, and 29 percent of Americans

Personal information being viewed by persons not directly related to the patient’s care—11 percent of Australians, 15 percent of Britons, and 10 percent of Americans

The responses seem to be in close alignment across all three countries, even though health privacy regulations differ in each country. The lack of faith in IT security vis-à-vis health care seems to be a universal phenomenon, probably with understandable reasons.

For example, since September 2009, at least 9.8 million instances of improper disclosure of medical information have been recorded in the United States. Earlier this month, the renowned Stanford Hospital & Clinics in California added to the total when it announced that the electronic health records of 20 000 of its emergency room patients seen between March 1st and August 31st of 2009, including their names, diagnostic codes, medical record numbers, hospital account numbers, billing charges, and emergency room admission and discharge dates, had been posted for nearly a year (Sept. 9, 2010, to Aug. 23, 2011) on a commercial Web site called Student of Fortune.

The San Jose Mercury Newsreported that Student of Fortune solicits bids to answer homework questions. The patient information showed up as a spreadsheet attached to a file, and was traced to a vendor that worked with for the hospital. All work with the vendor has been suspended pending an investigation.

According to the newspaper, a stolen health record is now worth US $50 on the information black market, whereas a Social Security number is worth about a $1 (a credit card number fetches $1 to $2).

The Trust tried to play down the incident by saying the information was from 2002 and probably was not retrievable. The Trust also stated:

"It is important to stress that information systems now are far more secure than they were at the time these files were produced—we no longer store information on floppy disks or CDs and use sophisticated systems of encryption."

Which is true but also somewhat irrelevant because, as reported in a story at PublicService.co.uk, the Trust also admitted that it needed to retrain its personnel in current data security policies, which were not followed, leading to the incident in the first place.

This is not surprising. In a study released last week by the consulting company PWC and its Health Research Institute, only 58 percent of health care providers and 41 percent of health insurers were found to have trained employees on privacy measures related to the use of electronic health records.

With findings like that, it makes you wonder why 20 percent of folks in the Australia, Britain, and the United States still express no concern about EHRs and IT security.